Security

Last updated: March 2026

Infrastructure

DataDriven runs on Amazon Web Services (AWS). All traffic is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Our servers are hosted in US regions with access restricted to authorized personnel only.

Code Execution Sandboxing

All user-submitted code runs in isolated, ephemeral environments:

• SQL queries execute client-side in your browser using SQLite compiled to WebAssembly (sql.js). No SQL code is sent to our servers.
• Python code runs in isolated Docker containers with no network access, restricted filesystem access, memory limits, and a 10-second execution timeout. Containers are destroyed immediately after execution.

We do not store, log, or retain user-submitted code beyond the duration of execution.

Authentication

We use industry-standard OAuth 2.0 via Google and LinkedIn for authentication. We never receive or store your password. Session tokens are short-lived JWTs stored only in the client and refreshed automatically.

Data Minimization

We collect only what is necessary to provide the learning experience:

• Email address and display name (from OAuth provider)
• Learning activity data (challenge attempts, lesson progress, skill scores)

We do not collect payment information directly. Subscriptions are managed entirely through the Apple App Store.

Access Controls

API endpoints enforce authentication and authorization checks. Administrative operations require elevated privileges. Database access follows least-privilege principles with role-based access controls.

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly by emailing support@datadriven.io with details. We take all reports seriously and will respond within 48 hours.

Contact

Security questions? Email support@datadriven.io.